Attackers, confronted by security technologies that prevent memory corruption, like Code Integrity (CI) and Control Flow Guard (CFG), are expectedly shifting their techniques towards data corruption. Attackers use data corruption techniques to focus on system security policy, escalate privileges, tamper with security attestation, modify “initialize once” data structures, among others.
Kernel Data Protection (KDP) could be a new technology that stops data corruption attacks by protecting parts of the Windows kernel and drivers through VBS (Virtualization based security). KDP is a set of APIs that provide the flexibility to mark some kernel memory as read-only, preventing attackers from ever modifying protected memory. for instance, we’ve seen attackers use signed but vulnerable drivers to attack policy data structures and install a malicious, unsigned driver. KDP mitigates such attacks by ensuring that policy data structures cannot be tampered with.
The concept of protecting kernel memory as read-only has valuable applications for the Windows kernel, inbox components, security products, and even third-party drivers like anti-cheat and digital rights management (DRM) software. On top of the important security and tamper protection applications of this technology, other benefits include:
- Performance improvements – KDP lessens the burden on attestation components, which might not get to periodically verify data variables that are write-protected
- Reliability improvements – KDP makes it easier to diagnose memory corruption bugs that don’t necessarily represent security vulnerabilities
- Providing an incentive for driver developers and vendors to enhance compatibility with virtualization-based security, improving adoption of those technologies within the ecosystem
KDP uses technologies that are supported by default Secured-core PCs, which implement a selected set of device requirements that apply the safety best practices of isolation and minimal trust to the technologies that underpin the Windows OS. KDP enhances the protection provided by the features that structure Secured-core PCs by adding another layer of protection for sensitive system configuration data.
In this blog we’ll share technical details about how Kernel Data Protection works and the way it’s implemented on Windows 10, with the goal of inspiring and empowering driver developers and vendors to require full advantage of this technology designed to tackle data corruption attacks.